package com.ggb.smartstudy.config;

import com.ggb.smartstudy.service.util.CustomUserDetailsService;
import com.ggb.smartstudy.utils.CustomAuthenticationFailureHandler;
import com.ggb.smartstudy.utils.CustomAuthenticationSuccessHandler;
import com.ggb.smartstudy.utils.ShaPasswordEncoder;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.SecurityFilterChain;

/**
 * @author gefangjie
 */
@Configuration
@EnableWebSecurity
public class SecurityConfig {

    private final CustomAuthenticationSuccessHandler customAuthenticationSuccessHandler;
    private final CustomAuthenticationFailureHandler customAuthenticationFailureHandler;
    private final CustomUserDetailsService customUserDetailsService;
    private final ShaPasswordEncoder shaPasswordEncoder;

    public SecurityConfig(CustomAuthenticationSuccessHandler customAuthenticationSuccessHandler, CustomAuthenticationFailureHandler customAuthenticationFailureHandler, CustomUserDetailsService customUserDetailsService, ShaPasswordEncoder shaPasswordEncoder) {
        this.customAuthenticationSuccessHandler = customAuthenticationSuccessHandler;
        this.customAuthenticationFailureHandler = customAuthenticationFailureHandler;
        this.customUserDetailsService = customUserDetailsService;
        this.shaPasswordEncoder = shaPasswordEncoder;
    }

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http.authorizeHttpRequests((requests) -> requests
                        // 允许所有用户访问"/login"路径
                        .requestMatchers("/login").permitAll()
                        // 允许所有用户访问"/user/register"路径
                        .requestMatchers("/user/register").permitAll()
                        // 允许所有用户访问"/error"路径
                        .requestMatchers("/error").permitAll()
                        // 需要READ_COURSE_CATEGORIES权限才能访问
                        .requestMatchers("/admin/courseCategory/getAll").hasAuthority("READ_COURSE_CATEGORIES")
                        .requestMatchers("course/add").hasAuthority("CREATE_COURSES")
                        .requestMatchers("course/delete/").hasAuthority("DELETE_COURSES")
                        // 角色权限配置
                        .requestMatchers("/admin/user/**").hasRole("ADMIN")
                        // 允许所有用户访问"/public/**"路径
                        .requestMatchers("/public/**").permitAll()
                        .requestMatchers("/admin/course/**").hasAnyRole("ADMIN", "TEACHER")
                        // 其他路径需要认证
                        .anyRequest().authenticated()
                )
                // 配置登录页面
                .formLogin((form) -> form
                        .loginPage("/login").permitAll()
                        .successHandler(customAuthenticationSuccessHandler)
                        .failureHandler(customAuthenticationFailureHandler)
                )
                // 配置登出页面
                .logout((logout) -> logout
                        .logoutSuccessUrl("/login?logout=true").permitAll()
                )
                // 禁用CSRF
                 .csrf().disable();

        return http.build();
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(customUserDetailsService).passwordEncoder(shaPasswordEncoder);
    }
}
